Hi *, David Sommerseth wrote: > On 12/04/14 19:55, Christoph Biedl wrote: > [...snip...] > > Just filling out a few things extra, otherwise Gert's answer is fully valid. > > >> * For each client, I need an individual startup file >> >> Status: "up" and friends are not allowed in a CCD file. >> >> There might be a workaround using a global setting and using a >> switch driven by environment variables, I haven't checked yet since >> I failed to get *any* CCD setup running, see below. >> > > On the server side, --client-connect and --learn-address are the ones which > can be used. IIRC, --client-connect can also be allowed to generate CCD > entries in the script which is returned to the OpenVPN process. > > correct : the client-connect script can write out lines to a temporary script which are picked up as server-side config entries. The learn-address script cannot do this (as it is used/processed after the config entries have been processed).
>> * For an unknown client, the server must reject the connection >> >> Status: DEFAULT is tried, and even if missing/unreadable/invalid, some >> bizarre configuration values are used instead. >> > > Not sure what you mean with bizarre. Those settings not configured in > DEFAULT > is based upon whatever is found in the main config. And if not defined > there, > it's the default values in the OpenVPN binary. So if you dislike this > values, > modify them. > > You can also prevent any 'unknown' client from connecting by adding ccd-exclusive Any client that does not have a CCD file is then refused access > [....] >> --- Server, main configuration >> mode server >> tls-server >> key-method 2 >> local <redacted> >> port 1194 >> proto udp >> tls-auth /etc/openvpn/tls-auth >> client-config-dir /etc/openvpn/client.d/ >> link-mtu 1464 >> dev tun # also tried tun0 >> keepalive 60 190 >> ping-timer-rem >> tun-ipv6 >> comp-lzo >> dh /etc/openvpn/dh1024.pem # also tried 2048, 4096 >> ca /etc/openvpn/iptunnelCA.crt >> cert /etc/openvpn/server.crt >> key /etc/openvpn/server.key >> writepid /var/run/openvpn.master.pid >> > > Try using --server. It's a macro which can simplify the important > parameters. > It also needs a separate IP range for the VPN subnet (network between > server > and clients) which you use to route the traffic between LANs behind server > and > clients. For IPv6, there's a related --server-ipv6 option. > > When using --dev tun, OpenVPN will prepare tun0 if no other tun devices > exists. If it does, it tries tun1, tun2, and so on. If you use --dev tun0, > it will always try to only tun0 and fail to start if tun0 is already taken. > > The man page also document all these options fairly well. > > yep : without --server you need to specify the IP+subnet manually, at least for the server tun addresss itself. >> --- Server, CCD file for "test-user" >> >> ifconfig-push 10.10.9.193 10.10.9.200/32 >> > > That looks fine. > > depends on the version of OpenVPN used - the /32 looks suspicious to me and you must use topology subnet for addresses of this type to work > [...] > Otherwise, I want to recommend you the OpenVPN 2 Cookbook by Jan Just Keijser > (you'll see him responding from time to time on this ML). It provides many > good starting points for configuration setups for many different scenarios, > and also providing helpful info to understand the configuration options used > even better. <http://www.packtpub.com/openvpn-2-cookbook/book> > > David, thanks for the advert :) HTH, JJK ------------------------------------------------------------------------------ Learn Graph Databases - Download FREE O'Reilly Book "Graph Databases" is the definitive new guide to graph databases and their applications. Written by three acclaimed leaders in the field, this first edition is now available. Download your free book today! http://p.sf.net/sfu/NeoTech _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
